MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Compare commits

base: MISP:1abf2bf705be36d85e59a457551a9e24e55fc732
Branches Tags
MISP:main
MISP:chrisr3d_patch
MISP:training
MISP:ls20-reports
MISP:v2.4.192
MISP:v2.4.190
MISP:v2.4.189
MISP:v2.4.188
MISP:v2.4.187
MISP:v2.4.185
MISP:v2.4.184
MISP:v2.4.183
MISP:v2.4.182
MISP:v2.4.179
MISP:v2.4.178
MISP:v2.4.176
MISP:v2.4.175
MISP:v2.4.174
MISP:v2.4.173
MISP:v2.4.172
MISP:v2.4.171
MISP:v2.4.170
MISP:v2.4.169
MISP:v2.4.168
MISP:v2.4.167
MISP:v2.4.166
MISP:v2.4.165
MISP:v2.4.163
MISP:v2.4.162
MISP:v2.4.160
MISP:v2.4.159
MISP:v2.4.158
MISP:v2.4.157
MISP:v2.4.156
MISP:v2.4.154
MISP:v2.4.153
MISP:v2.4.152
MISP:v2.4.151
MISP:v2.4.145
MISP:v2.4.144
MISP:v2.4.142
...
compare: MISP:2061c353feda50315c2bc901413df17a06432616
Branches Tags
MISP:main
MISP:chrisr3d_patch
MISP:training
MISP:ls20-reports
MISP:v2.4.192
MISP:v2.4.190
MISP:v2.4.189
MISP:v2.4.188
MISP:v2.4.187
MISP:v2.4.185
MISP:v2.4.184
MISP:v2.4.183
MISP:v2.4.182
MISP:v2.4.179
MISP:v2.4.178
MISP:v2.4.176
MISP:v2.4.175
MISP:v2.4.174
MISP:v2.4.173
MISP:v2.4.172
MISP:v2.4.171
MISP:v2.4.170
MISP:v2.4.169
MISP:v2.4.168
MISP:v2.4.167
MISP:v2.4.166
MISP:v2.4.165
MISP:v2.4.163
MISP:v2.4.162
MISP:v2.4.160
MISP:v2.4.159
MISP:v2.4.158
MISP:v2.4.157
MISP:v2.4.156
MISP:v2.4.154
MISP:v2.4.153
MISP:v2.4.152
MISP:v2.4.151
MISP:v2.4.145
MISP:v2.4.144
MISP:v2.4.142

10 Commits
1abf2bf705 ... 2061c353fe

Author SHA1 Message Date
Alexandre Dulaunoy 2061c353fe
fix: [ransomware-group-post] added the missing descriptions for `actor-geo-stats-30d` and `actor-total-stats-30d` 2024-04-24 16:47:47 +02:00
Alexandre Dulaunoy 42b48439da
chg: [ransomware-group-post] severity field sane default added 2024-04-24 16:42:39 +02:00
Alexandre Dulaunoy 8aea824bbe
chg: [doc] updated 2024-04-24 16:34:36 +02:00
Alexandre Dulaunoy 9f98d15a6f
fix: [cs-beacong-config] typo fixed 2024-04-24 16:29:33 +02:00
Alexandre Dulaunoy f3724ad19b
fix: [cs-beacon-config] updated the NAICS description 2024-04-24 16:23:53 +02:00
Alexandre Dulaunoy 7f95d3290a
chg: [cs-beacon-config] major update following shadowserver.org requirements 
- Fixed some matching type instead of text (like size-in-bytes or integer)
- Added many fields and replace name with `_` to `-`
- Added some basic description
 2024-04-24 16:19:47 +02:00
Alexandre Dulaunoy 3d78e17c4b
chg: [ransomware-group-post] updated with shadowserver object template 
format

- underscores replaced with hyphen
- descriptions added
- decorrelation added for some fields
 2024-04-24 15:19:02 +02:00
Alexandre Dulaunoy 16b354c04c
chg: [instant-message] remove newlines 2024-04-24 14:30:19 +02:00
Alexandre Dulaunoy 9f7cabf25c
Merge pull request #428 from menewol/main 
Added Mattermost
 2024-04-24 14:23:19 +02:00
menewol 93b43a3191
Added Mattermost 2024-04-24 14:11:50 +02:00
4 changed files with 165 additions and 9 deletions
Show Stats Expand all files Collapse all files

7
README.md
View File

@ -153,7 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
- [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.
- [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search.
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
- [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys.
- [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction.
- [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config.
@ -169,7 +169,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain.
- [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time.
- [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame.
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
- [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format.
- [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format.
- [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
@ -190,6 +190,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information.
- [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm.
- [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm.
- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm.
- [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
- [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
- [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
@ -336,7 +337,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
- [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others.
- [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
- [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
- [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.

91
objects/cs-beacon-config/definition.json
View File

@ -1,11 +1,43 @@
{
"attributes": {
"architecture": {
"description": "Hardware architecture of the sample",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"asn": {
"description": "Originating ASN for the CS Beacon Config",
"disable_correlation": true,
"misp-attribute": "AS",
"ui-priority": 0
},
"beacon-host": {
"description": "Beacon host IP",
"misp-attribute": "ip-dst",
"ui-priority": 0
},
"beacon-type": {
"description": "Beacon type used",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"binary-md5": {
"description": "MD5 of the binary delivered",
"misp-attribute": "md5",
"ui-priority": 0
},
"binary-sha1": {
"description": "SHA1 of the binary delivered",
"misp-attribute": "sha1",
"ui-priority": 0
},
"binary-sha256": {
"description": "SHA256 of the binary delivered",
"misp-attribute": "sha256",
"ui-priority": 0
},
"c2": {
"categories": [
"Network activity"
@ -21,12 +53,67 @@
"misp-attribute": "text",
"ui-priority": 0
},
"config-md5": {
"description": "MD5 of the configuration",
"misp-attribute": "md5",
"ui-priority": 0
},
"config-sha1": {
"description": "SHA1 of the configuration",
"misp-attribute": "sha1",
"ui-priority": 0
},
"config-sha256": {
"description": "SHA256 of the configuration",
"misp-attribute": "sha256",
"ui-priority": 0
},
"content-length": {
"description": "Content length of the payload",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"content-type": {
"description": "Content/type received",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"encoded-data": {
"description": "Encoded payload data in Base64",
"misp-attribute": "text",
"ui-priority": 0
},
"encoded-length": {
"description": "Length of the encoded data",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"geo": {
"description": "Country location of the CS Beacon Config",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"http": {
"description": "HTTP protocol used",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"http-code": {
"description": "HTTP return code",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"http-url": {
"description": "HTTP url path of the beacon",
"misp-attribute": "text",
"ui-priority": 0
},
"ip": {
"description": "IP of the C2",
"misp-attribute": "ip-dst",
@ -55,7 +142,7 @@
"ui-priority": 1
},
"naics": {
"description": "North American Industry Classification System Code",
"description": "North American Industry Classification System Code (NAICS)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
@ -112,5 +199,5 @@
"watermark"
],
"uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
"version": 4
"version": 6
}

3
objects/instant-message/definition.json
View File

@ -22,7 +22,8 @@
"Discord",
"Mumble",
"Jabber",
"Twitter"
"Twitter",
"Mattermost"
],
"ui-priority": 1
},

73
objects/ransomware-group-post/definition.json
View File

@ -1,7 +1,26 @@
{
"attributes": {
"actor-geo-stats-30d": {
"description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"actor-total-stats-30d": {
"description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"date": {
"description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"date-published": {
"description": "Initial published date of the post on the ransomware group blog.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
@ -10,25 +29,73 @@
"misp-attribute": "text",
"ui-priority": 1
},
"entity-name": {
"description": "Entity name of the victim referenced in the post of the ransomware group.",
"misp-attribute": "text",
"ui-priority": 1
},
"geo": {
"description": "Geographic (main) location of the victim referenced in the post of the ransomware group.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"leak-site-url": {
"description": "Link to the post.",
"misp-attribute": "link",
"ui-priority": 1
},
"link": {
"description": "Original URL location of the post.",
"misp-attribute": "link",
"ui-priority": 1
},
"ransomware-group": {
"description": "Ransomware group where the post is mentioned.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"sector": {
"description": "Sector (main) of the victim referenced in the post of the ransomware group.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"severity": {
"description": "Severity of the post mentioned.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"critical",
"high",
"medium",
"low",
"info"
],
"ui-priority": 1
},
"title": {
"description": "Title of blog post.",
"misp-attribute": "text",
"ui-priority": 1
},
"website": {
"description": "Website of the victim referenced in the post of the ransomware group.",
"misp-attribute": "link",
"ui-priority": 1
}
},
"description": "Ransomware group post as monitored by ransomlook.io",
"description": "Ransomware group post as monitored by ransomlook.io or others",
"meta-category": "misc",
"name": "ransomware-group-post",
"requiredOneOf": [
"title",
"description",
"link"
"link",
"website",
"leak-site-url"
],
"uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
"version": 1
"version": 4
}